Pulsar 访问权限控制-Token模式

参考链接

• https://pulsar.apache.org/docs/zh-CN/security-token-admin/
• https://pulsar.apache.org/docs/zh-CN/security-token-client/

Token模式

基于 JSON Web Tokens (RFC-7519) 进行安全认证
规范文档：
https://jwt.io/introduction/
https://tools.ietf.org/pdf/rfc7519.pdf

• 秘钥方式

1. 生成秘钥
   bin/pulsar tokens create-secret-key --output /path/to/my-secret.key --base64

2. 创建Token
   bin/pulsar tokens create --secret-key file:///path/to/my-secret.key --subject test-user --expiry-time 1y

3. 授权
   bin/pulsar-admin namespaces grant-permission my-tenant/my-namespace --role test-user --actions produce,consume

4. broker配置修改

authenticationEnabled=true
authorizationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken

tokenSecretKey=file:///path/to/my-secret.key

# operations and publish/consume from all topics
superUserRoles=admin

brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken
brokerClientAuthenticationParameters=token:账号token

• 公私钥方式

1. 生成公私钥
   bin/pulsar tokens create-key-pair --output-private-key /path/to/my-private.key --output-public-key /path/to/my-public.key
   私钥：单独安全存储，用于生成token
   公钥：存储于所有broker节点，用于token认证

2. 创建Token
   bin/pulsar tokens create --private-key file:///path/to/my-private.key --subject test-user --expiry-time 1y

3. 授权
   bin/pulsar-admin namespaces grant-permission my-tenant/my-namespace --role test-user --actions produce,consume

4. broker配置修改

authenticationEnabled=true
authorizationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken

tokenPublicKey=file:///path/to/public.key

# operations and publish/consume from all topics
superUserRoles=admin

brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken
brokerClientAuthenticationParameters=token:账号token

• 客户端样例

1. JAVA

PulsarClient client = PulsarClient.builder()
    .serviceUrl("pulsar://broker.example.com:6650/")
    .authentication(
        AuthenticationFactory.token("token")
    .build();

2. C++

#include <pulsar/Client.h>
pulsar::ClientConfiguration config;
config.setAuth(pulsar::AuthToken::createWithToken("token"));
pulsar::Client client("pulsar://broker.example.com:6650/", config);

• Pulsar自带工具使用样例
  授权：
  bin/pulsar-admin --auth-plugin org.apache.pulsar.client.impl.auth.AuthenticationToken --auth-params token:[admin账号token] namespaces grant-permission public/default --role test-user --actions produce

生产：
bin/pulsar-perf produce persistent://public/default/test_my_topic -u pulsar://broker.example.com:6650 -s 1024 -time 120 -r 1000 -n 1 -b 0 --auth_plugin org.apache.pulsar.client.impl.auth.AuthenticationToken --auth-params token:[账号token]

消费：
bin//pulsar-perf consume persistent://public/default/test_my_topic -u pulsar://broker.example.com:6650 -s consumer_test_2019 --auth_plugin org.apache.pulsar.client.impl.auth.AuthenticationToken --auth-params token:[账号token]